FBI admits to exploiting Tor to take down child porn behemoth

The Federal Bureau of Investigation has acknowledged it was behind the malware that infiltrated the servers for Freedom Hosting, one of the largest providers of anonymity online, and identified the service's users.

Internet security experts have long suspected the FBI was behind
the cyber-attack, which appeared to target and monitor internet
users on Freedom Hosting, which provided hosting for even more
anonymous, so-called “hidden services” on the Tor
anonymity network. While some users signed up with Freedom
Hosting to encrypt their email and everyday Internet use, the FBI
alleges that the service became “the largest facilitator of
child porn on the planet.”

Eric Eoin Marques, a US-born 28-year-old living in Dublin,
Ireland, is accused of being the chief architect behind Freedom
Hosting, responsible for hosting child porn on 550 servers
throughout Europe. Freedom Hosting is also accused of providing
services for money-laundering operations, fraud fronts, and child
abuse discussion boards with names like Lolita City and
PedoEmpire, according to The Independent.

Marques is wanted in the US for four charges in connection with
images on the websites, described as brutal depictions of the
rape and torture of underage children.

The FBI’s involvement was acknowledged for the first time
Thursday during a bail hearing in Dublin, where Marques is
fighting extradition to the United States. He was denied bail for
the second time since his arrest in July.

Investigators have not commented on the case but local press
accounts reported that FBI Supervisory Special Agent Brooke
Donahue testified in court that Marques dove for his laptop when
agents raided his home this summer. A forged passport was found
in Marques’ possession and his interest in Russia was piqued when
NSA whistleblower Edward Snowden first entered the headlines.

“My suspicion is he was trying to look for a place to reside
to make it the most difficult to be extradited to the US,”
Donahue said, as quoted by the Irish Independent. “He was
looking the engage in financial transactions with another hosting
company in Russia.”

Marques’ lawyer refused comment to reporters but Wired reported
he is facing federal charges in Maryland, where his indictment is
under seal. Donahue said that gravity of the charges could mean
Marques will “spend the rest of his life in prison.”

Hackers from the Anonymous collective levied a
distributed-denial-of-service attack against Freedom Hosting in
2011. Normally advocates of privacy and freedom online, Anonymous
asserted that it determined Freedom Hosting hosted 95 per cent of
the child porn web pages on the Tor network. Donahue said
Thursday that Freedom Hosting facilitated at least 100 sites,
each with thousands of users, and Marques himself was a frequent
visitor.

Marques has not admitted to being the leader of Freedom Hosting
and his father told The Sunday Times that any reports indicating
the contrary were only “speculation.” He did admit in court
Thursday that he had earned “substantial” sums of money from his
involvement with the network.

It is not known when the FBI initially gained access to Freedom
Hosting but the network went down on August 4. The key piece of
malware used in the hack is known as the Magneto code variable,
which does not download anything but accesses the “victim’s
MAC address – a unique hardware identifier for the computer’s
network or WiFi card – and the victim’s Windows hostname,”
according to Wired.

That information then bypassed Tor and was sent back to servers
housed in Northern Virginia, fueling speculation that the FBI or
National Security Agency were the culprits. The software is
also consistent with the FBI’s computer and internet protocol
address verifier (CIPAV), which law enforcement has used to
subvert anonymity software belonging to hackers, extortionists,
sexual predators, and others since 2002.